Today's network managers are inundated with information about Multiprotocol Label Switching (MPLS) VPNs. However, taking advantage of the benefits of MPLS -- including its flexibility, speed, cost efficiency and segmentation capabilities -- does not necessarily mean implementing these VPNs throughout your own network. With the exception of some of the largest enterprises, which have extensive IT resources and expertise, most businesses may wish to consider the services offered by MPLS providers. These allow you to take full advantage of the infrastructure maintained by the service provider without incurring the cost of deploying MPLS.
Selecting a provider for an MPLS VPN service can be a daunting task, however, and it requires taking the time to assess your networking requirements, environment and objectives. This article discusses the critical issues to consider when selecting a provider for MPLS VPN service.
MPLS with minimum impact
As with any architecture that provides VPNs over shared wide area or metro area facilities, MPLS offers an effective way to expand networks geographically while establishing any-to-any connectivity. Because it can replace dedicated circuits such as Frame Relay or ATM, MPLS also helps to reduce costs. Subscribing to a Layer 3 MPLS VPN WAN service allows the enterprise to migrate away from a hub-and-spoke topology, where scaling is a major concern.
Enterprises may choose to use outsourcing as a permanent MPLS solution, or to make a transition over time toward a self-managed MPLS network. Another option is to subscribe to a service hybrid, packaged by the provider as "unbundled" services. One example of a hybrid is when the enterprise manages the customer edge (CE) and the service provider offers Layer 2 transport support and additional managed network services. The enterprise customer retains control over its edge domain.
Key questions to ask
As you interview potential service providers, be sure to address the following key issues:
- Does the service provider track and monitor the entire network?
- Can it secure its own network traffic and manage priority traffic across other networks?
- What are the performance thresholds for network latency and availability?
- How is performance measured and delivered to you?
- Are there procedures for on-the-fly load rebalancing, security assessments and regular backups?
- Can its data center support your requirements for physical and network security, capacity, availability, operations and backbone connectivity?
- How quickly will the provider respond to business change?
- What are the terms if the network goes down or the level of service is not maintained?
In addition, major factors to consider include:
Quality of service
MPLS support for end-to-end quality of service (QoS) helps ensure that the network prioritizes critical traffic such as voice. You should discuss with the service provider the classes of service (CoSs) available and your organization's needs.
Some providers may team with others to provide global services or with third parties offering non-MPLS service. This may affect QoS, since assignment of class values differs from one provider to another. Partners should have agreements that specify CoS equivalencies, and you will need to understand these values to ensure they can support your requirements. If your firm is interested in creating extranets for partners or customers, discuss also whether the provider is willing to provide adequate QoS via IP VPNs from other companies.
Routing and routing convergence
Most routing protocols (including eBGP, OSPF, EIGRP, RIP, and static routes) are supported by today's service providers. If you do not run BGP, however, redistribution will be required on the CE router. If the provider is managing the enterprise-provider link, the provider is responsible for choosing the protocol and maintaining the link. CE-to-CE IPsec or GRE tunnels also are supported. Usually linking to the edge router is quite straightforward, needing little or no new functionality.
You need to be aware that not every provider supports IP multicast traffic for applications such as video. Multicasting allows information to be efficiently distributed between a single multicast source and many receivers. If the provider does not support it, your enterprise will need to create a series of GRE tunnels as an overlay in order to provide multicast over the MPLS network.
MPLS VPNs provide the same level of security as Layer 2 VPNs, equivalent to that of private circuits. MPLS VPNs offer address space and routing separation, and they are resistant to attacks and label spoofing. In an MPLS environment, a VPN customer may perform IP-source address spoofing, but because there is a strict separation between VPNs and between the VPN and the core, this type of spoofing remains within the VPN where it originated.
The most critical network security issue is that MPLS VPNs are part of a shared infrastructure. You need to know whether Internet access is provided over the same core as VPN access, and what security measures are taken to avoid one service affecting the other. A VPN-only service is more secure; however, the level of risk associated with a shared core infrastructure is acceptable for most companies. The provider may offer separate provider edge routers for Internet and VPN access, but usually at a higher cost. You may also ask about the security of the core infrastructure, and the provider's risk mitigation policies.
Connecting to the service provider
When connecting the enterprise to an outsourced MPLS network, the service provider is responsible for linking to your firm at either Layer 2 or 3. With peering at Layer 3, the provider's network routes IP packets through its shared network, while enabling secure transport. It does this by installing a virtual route forwarding (VRF) table for each customer, which isolates that traffic from others.
One of the advantages of Layer 3 peering is that the two networks can exchange routing information directly. Bandwidth scalability is limited only by the type of transport the provider offers; for example, Gigabit Ethernet is more scalable than Frame Relay. In addition, most service providers can provide QoS with greater intelligence in Layer 3. The any-to-any connectivity inherent in a Layer 3 MPLS VPN also offers more efficient routing.
A Layer 2 VPN, in which Layer 2 packets or cells are carried over an MPLS network -- also called Any Transport over MPLS (AToM) -- is a good solution for some enterprises, especially those with ATM, Frame Relay, or Ethernet networks that need point-to-point Layer 2 connectivity. The virtual point-to-point circuits characteristic of Layer 2 networks are set up through VPNs.
In conclusion, do not neglect to discuss issues such as high availability (at least four nines, preferably five), getting references, guarantees, pilot programs, and training. Carefully assess the staff's technical knowledge, migration support, scalability and availability, and general administrative capabilities. The service provider's experience in deploying managed Layer 3 services and its fit to your requirements are the most critical elements in outsource assessment.
For more detailed technical information, see the white paper, Layer 3 MPLS VPN Enterprise Consumer Guide.
About the author:
Robert Vigil is a service provider systems engineer at Cisco Systems Inc.